Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 8 of 8
  1. #1
    New Coder
    Join Date
    Nov 2005
    Posts
    56
    Thanks
    0
    Thanked 0 Times in 0 Posts

    hash and mod_rewrite for file download

    Hello, I have a file hosting website and I am experiencing an issue. If somebody looks in the source code they can see the direct path of the file, hence bypassing the 25 second wait time since i am using a download template file where every user sees the same download page template. One way I found of preventing that is by using hash and mod_rewrite to protect that so instead of having /downoad.php?action=2&file=filename.rar I would have /download.php?hash=10293812ihoasdsaodasd. I have coded it to have the hash directly generated and put into a database. My problem is how would I use mod_rewrite (any body have a code for that) and what would i put in the download.php and the download-summary.tpl.php to have hash used to retrive the files. The database is setup I am needing help with the download part and the mod_rewrite part.

    Thanks
    www.XtraFile.com
    -Free OneClick File Hosting!

  • #2
    Super Moderator
    Join Date
    May 2002
    Location
    Perth Australia
    Posts
    4,040
    Thanks
    10
    Thanked 92 Times in 90 Posts
    I dont think you really need mod_rewrite and databases and hashes etc...

    in the directory that stores the downloads... create or add in a .htaccess file

    <Directory /home/httpd/vhosts/domain/httpdocs/noaccess>
    Order Deny,Allow
    Deny from all
    Allow from localhost
    </Directory>

    this allows only your scripts to access the documents so knowing the path to the file helps nobody e.g.

    header("content-type: $whatever_is_approproate");
    echo file_get_contents('noaccess/'.$blah.'.blah');

    should work but direct requests should not
    resistance is...

    MVC is the current buzz in web application architectures. It comes from event-driven desktop application design and doesn't fit into web application design very well. But luckily nobody really knows what MVC means, so we can call our presentation layer separation mechanism MVC and move on. (Rasmus Lerdorf)

  • #3
    New Coder
    Join Date
    Nov 2005
    Posts
    56
    Thanks
    0
    Thanked 0 Times in 0 Posts
    This would not work because my download template page gets info from download.php directly for example

    http://www.mydomain.com/download.php...ename.rar.html

    By using hash, this would be prevented
    Last edited by brotherhewd; 01-05-2006 at 07:26 AM.

  • #4
    New Coder
    Join Date
    Dec 2005
    Posts
    31
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Why not make an ID col. in the table in the database for each file and use queries like "... WHERE ID='" . $_GET['file'] . "'"

  • #5
    Super Moderator
    Join Date
    May 2002
    Location
    Perth Australia
    Posts
    4,040
    Thanks
    10
    Thanked 92 Times in 90 Posts
    so when someone goes to the dowmload page how does it work exactly ? a javascript timer that opens a new window to download the file or does a meta refresh to the actual download ?
    resistance is...

    MVC is the current buzz in web application architectures. It comes from event-driven desktop application design and doesn't fit into web application design very well. But luckily nobody really knows what MVC means, so we can call our presentation layer separation mechanism MVC and move on. (Rasmus Lerdorf)

  • #6
    New Coder
    Join Date
    Nov 2005
    Posts
    56
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Deleted
    Last edited by brotherhewd; 01-09-2006 at 05:41 PM.

  • #7
    Senior Coder missing-score's Avatar
    Join Date
    Jan 2003
    Location
    UK
    Posts
    2,194
    Thanks
    0
    Thanked 0 Times in 0 Posts
    I had to write an upload site once and thats basically what we did, and it is really the only decent way to ensure they wait. You dont HAVE to use .htaccess though.

    Create a hash and the store it in the database, also assign it a time indicator, then direct the user to an URL with a hash on the end of it: eg: www.mysite.com/file.php?hash=ziuerhb87

    Do your JavaScript countdown as usual and have the redirect to be to the exact same URL they are visiting now.

    Then, on the main file page use PHP to see if there is a hash set in the URL and if so, check the database for the time. If they have waited the full 30 seconds then give them file access, else reset the counter to 30 seconds (yeah, Im mean like that).

  • #8
    New Coder
    Join Date
    Nov 2005
    Posts
    56
    Thanks
    0
    Thanked 0 Times in 0 Posts
    I know how to do the hash part and the redirect users to a url with a hash at the end of it.

    Now after that, I have no clue how to do what you just told me.

    Do your JavaScript countdown as usual and have the redirect to be to the exact same URL they are visiting now.

    Then, on the main file page use PHP to see if there is a hash set in the URL and if so, check the database for the time. If they have waited the full 30 seconds then give them file access, else reset the counter to 30 seconds (yeah, Im mean like that).
    =( sorry I have almost very little knowledge of php but I am learning =)


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •